Normally I would use the deployment server GUI under setting > Distributed Environment > Forwarder management to create a server class, add clients, and then add apps (for inputs and outputs) to be deployed.
But for some reason the GUI is read only, I believe it is due to "flterType = blacklist " in many serverclass stanzas, but I am not sure how to edit the stanza so the GUI will work again.
So going manual edit route via CLI, I am not making sense of the syntax for directly editing the serverclass.conf.
Could any one walk me thru how to edit the server class?
Thank you
A better, more controlled approach would be to edit serverclass.conf directly.
You can looks for which serverclass.conf is storing your serverclass configuration by using btool command on the deployment server:
./splunk btool serverclass list --debug | grep "\["
A better, more controlled approach would be to edit serverclass.conf directly.
You can looks for which serverclass.conf is storing your serverclass configuration by using btool command on the deployment server:
./splunk btool serverclass list --debug | grep "\["
Thank you for the reply. I will look at the post and check the tool.
But the part I am not clear on is writing the stanzas, so here is my attempt
in /opt/splunk/etc/system/local
edit serverclass.conf to create class and add clients
#This server class is for my AWS instances
[serverClass:AWS_instances]
whitelist.0 = ip-192-168-1-* (for example all the instance names start with ip-192-168-1-[x].ec2.internal)
So now I need to create some inputs and outputs for the class (for example aws_inputs, aws_outputs)
in /opt/splunk/etc/deployment-apps/
this is where I get stuck...
I see previously created deployment-apps (folders) in the directory,
when I cd into them I see default and local, local has only app.conf with one comment #Autogenerated file
but default has an outputs.conf with the correct information.
The inputs will be monitoring a log source, which I could enter on each end point but would rather deploy an app.
Please advise how I create the two apps by CLI? Or possibly I am missing the CLI instructions.
Do I create a couple more stanzas in serverclass.conf? will that auto-create the deployment apps?
#This is for aws instances inputs
[serverClass:AWS_instances:app:aws_inputs]
stateOnClient = enabled
restartSplunkd = true
#This is for aws instances outputs
[serverClass:AWS_instances:app:aws_outputs]
stateOnClient = enabled
restartSplunkd = true
Thank you
You create the app on /opt/splunk/etc/deployment-apps/YourAppName (which will include a default OR local directory with inputs.conf with your monitoring statements). I'll recommend you create a aws_props_transforms app which will have your sourcetype definitions (line breaking , timestamp parsing etc) as well. This app will go to your indexers Or heavy forwarders. Now to assign your aws servers (deployment clients) those apps, you'll add the app assignment stanza within your AWS_instances serverclass, like this
[serverClass:AWS_instances]
whitelist.0 = ip-192-168-1-*
restartSplunkd = true
[serverClass:AWS_instances:app:aws_outputs]
[serverClass:AWS_instances:app:aws_outputs]
Other attributes (stateOnClient) are using default values, so I'm ignoring it. Reload or restart your deployment server instance for these changes to take effect (reload happens automatically when you make these changes by UI).
Thank you very much for the outstanding explanation.
Please convert to an answer so I can accept.
Here you go.
You can see this for what all stuff you add to your serverclass.conf
http://docs.splunk.com/Documentation/Splunk/7.0.3/Updating/Useserverclass.conf